Validate empty container image aligned with Go new container validation

ericsciple · ericsciple · commit ba800d53e37f · 2026-02-05T22:46:17.000Z
- container: '' is silent (null) for job containers, error for services
- docker:// prefix stripped before empty check
- Expression-aware: only skips validation when image itself is expression
- Expression keys in container/services mappings handled gracefully
- Removes legacy convertToJobCredentials (validation-only, no detailed field checking)
diff --git a/workflow-parser/src/model/converter/container.ts b/workflow-parser/src/model/converter/container.ts
@@ -1,114 +1,107 @@
 import {TemplateContext} from "../../templates/template-context.js";
-import {MappingToken, SequenceToken, StringToken, TemplateToken} from "../../templates/tokens/index.js";
+import {StringToken, TemplateToken} from "../../templates/tokens/index.js";
 import {isString} from "../../templates/tokens/type-guards.js";
-import {Container, Credential} from "../workflow-template.js";
-
-export function convertToJobContainer(context: TemplateContext, container: TemplateToken): Container | undefined {
-  let image: StringToken | undefined;
-  let env: MappingToken | undefined;
-  let ports: SequenceToken | undefined;
-  let volumes: SequenceToken | undefined;
-  let options: StringToken | undefined;
-
-  // Skip validation for expressions for now to match
-  // behavior of the other parsers
-  for (const [, token] of TemplateToken.traverse(container)) {
-    if (token.isExpression) {
-      return;
-    }
+import {Container} from "../workflow-template.js";
+
+const DOCKER_URI_PREFIX = "docker://";
+
+export function convertToJobContainer(
+  context: TemplateContext,
+  container: TemplateToken,
+  isServiceContainer = false
+): Container | undefined {
+  // Expression? Skip validation
+  if (container.isExpression) {
+    return;
   }
 
+  // Shorthand form
   if (isString(container)) {
-    // Workflow uses shorthand syntax `container: image-name`
-    image = container.assertString("container item");
+    const image = container.assertString("container item");
     if (!image || image.value.length === 0) {
+      // Error for service container, silent for job container
+      if (isServiceContainer) {
+        context.error(container, "Container image cannot be empty");
+      }
+      return;
+    }
+
+    // Trim docker:// prefix and check if empty
+    const trimmed = image.value.startsWith(DOCKER_URI_PREFIX)
+      ? image.value.substring(DOCKER_URI_PREFIX.length)
+      : image.value;
+    if (trimmed.length === 0) {
       context.error(container, "Container image cannot be empty");
       return;
     }
-    return {image: image};
+
+    return {image};
   }
 
+  // Mapping form
   const mapping = container.assertMapping("container item");
-  if (mapping)
+
+  let hasExpressionKey = false;
+  let hasImageKey = false;
+
+  if (mapping) {
     for (const item of mapping) {
+      // Key is expression?
+      if (item.key.isExpression) {
+        hasExpressionKey = true;
+        continue;
+      }
+
       const key = item.key.assertString("container item key");
-      const value = item.value;
-
-      switch (key.value) {
-        case "image":
-          image = value.assertString("container image");
-          break;
-        case "credentials":
-          convertToJobCredentials(context, value);
-          break;
-        case "env":
-          env = value.assertMapping("container env");
-          for (const envItem of env) {
-            envItem.key.assertString("container env value");
-          }
-          break;
-        case "ports":
-          ports = value.assertSequence("container ports");
-          for (const port of ports) {
-            port.assertString("container port");
-          }
-          break;
-        case "volumes":
-          volumes = value.assertSequence("container volumes");
-          for (const volume of volumes) {
-            volume.assertString("container volume");
+
+      if (key.value === "image") {
+        hasImageKey = true;
+
+        // Expression? Skip
+        if (item.value.isExpression) {
+          continue;
+        }
+
+        const imageStr = item.value.assertString("container image");
+        if (imageStr) {
+          // Trim docker:// prefix and check if empty
+          const trimmed = imageStr.value.startsWith(DOCKER_URI_PREFIX)
+            ? imageStr.value.substring(DOCKER_URI_PREFIX.length)
+            : imageStr.value;
+          if (trimmed.length === 0) {
+            context.error(item.value, "Container image cannot be empty");
           }
-          break;
-        case "options":
-          options = value.assertString("container options");
-          break;
-        default:
-          context.error(key, `Unexpected container item key: ${key.value}`);
+        }
       }
     }
+  }
 
-  if (!image || image.value.length === 0) {
+  // Check for missing image key
+  if (!hasImageKey && !hasExpressionKey) {
     context.error(container, "Container image cannot be empty");
-  } else {
-    return {image, env, ports, volumes, options};
   }
 }
 
 export function convertToJobServices(context: TemplateContext, services: TemplateToken): Container[] | undefined {
+  // Expression? Skip validation
+  if (services.isExpression) {
+    return;
+  }
+
   const serviceList: Container[] = [];
 
   const mapping = services.assertMapping("services");
   for (const service of mapping) {
+    // Key is expression?
+    if (service.key.isExpression) {
+      continue;
+    }
+
     service.key.assertString("service key");
-    const container = convertToJobContainer(context, service.value);
+    const container = convertToJobContainer(context, service.value, true);
     if (container) {
       serviceList.push(container);
     }
   }
   return serviceList;
 }
-
-function convertToJobCredentials(context: TemplateContext, value: TemplateToken): Credential | undefined {
-  const mapping = value.assertMapping("credentials");
-
-  let username: StringToken | undefined;
-  let password: StringToken | undefined;
-
-  for (const item of mapping) {
-    const key = item.key.assertString("credentials item");
-    const value = item.value;
-
-    switch (key.value) {
-      case "username":
-        username = value.assertString("credentials username");
-        break;
-      case "password":
-        password = value.assertString("credentials password");
-        break;
-      default:
-        context.error(key, `credentials key ${key.value}`);
-    }
-  }
-
-  return {username, password};
-}
diff --git a/workflow-parser/testdata/reader/job-container-empty-image.yml b/workflow-parser/testdata/reader/job-container-empty-image.yml
@@ -2,61 +2,156 @@ include-source: false # Drop file/line/col from output
 ---
 on: push
 jobs:
+  # Empty shorthand - silent for job container (matches Go new behavior)
   build1:
     runs-on: linux
     container: ""
     steps:
       - run: echo hi
+  # Empty mapping image - error
   build2:
     runs-on: linux
     container:
       image: ""
     steps:
       - run: echo hi
+  # Empty service shorthand - error
   build3:
     runs-on: linux
     services:
       svc: ""
     steps:
       - run: echo hi
+  # Empty service mapping image - error
   build4:
     runs-on: linux
     services:
       svc:
         image: ""
     steps:
       - run: echo hi
+  # Null container - silent for job container
   build5:
     runs-on: linux
     container:
     steps:
       - run: echo hi
+  # Null service - error
   build6:
     runs-on: linux
     services:
       svc:
     steps:
       - run: echo hi
+  # Empty image with expression in other field - error
+  build7:
+    runs-on: linux
+    container:
+      image: ""
+      env:
+        FOO: ${{ secrets.X }}
+    steps:
+      - run: echo hi
+  # Empty service image with expression credential - error
+  build8:
+    runs-on: linux
+    services:
+      svc:
+        image: ""
+        credentials:
+          username: ${{ github.actor }}
+          password: secret
+    steps:
+      - run: echo hi
+  # docker:// prefix only - error
+  build9:
+    runs-on: linux
+    container: docker://
+    steps:
+      - run: echo hi
+  # docker:// prefix in mapping - error
+  build10:
+    runs-on: linux
+    container:
+      image: docker://
+    steps:
+      - run: echo hi
+  # docker:// service shorthand - error
+  build11:
+    runs-on: linux
+    services:
+      svc: docker://
+    steps:
+      - run: echo hi
+  # docker:// service mapping - error
+  build12:
+    runs-on: linux
+    services:
+      svc:
+        image: docker://
+    steps:
+      - run: echo hi
+  # Empty object (no image key) - error
+  build13:
+    runs-on: linux
+    container: {}
+    steps:
+      - run: echo hi
+  # Empty service object - error
+  build14:
+    runs-on: linux
+    services:
+      svc: {}
+    steps:
+      - run: echo hi
+  # Null image value - error
+  build15:
+    runs-on: linux
+    container:
+      image:
+    steps:
+      - run: echo hi
 ---
 {
   "errors": [
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 5, Col: 16): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 13, Col: 14): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 20, Col: 12): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 28, Col: 16): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 41, Col: 11): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 48, Col: 14): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 58, Col: 16): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 67, Col: 16): Container image cannot be empty"
+    },
+    {
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 74, Col: 14): Container image cannot be empty"
     },
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 11, Col: 7): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 81, Col: 12): Container image cannot be empty"
     },
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 17, Col: 12): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 89, Col: 16): Container image cannot be empty"
     },
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 24, Col: 9): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 95, Col: 16): Container image cannot be empty"
     },
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 29, Col: 15): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 102, Col: 12): Container image cannot be empty"
     },
     {
-      "Message": ".github/workflows/job-container-empty-image.yml (Line: 35, Col: 11): Container image cannot be empty"
+      "Message": ".github/workflows/job-container-empty-image.yml (Line: 109, Col: 13): Container image cannot be empty"
     }
   ]
 }
